[mingetty/f12/master] Limit length of TTY name
Petr Pisar
ppisar at fedoraproject.org
Tue Oct 26 16:38:58 UTC 2010
commit e6f01ad9f035c057806678f32eb8df08bb8cd486
Author: Petr Písař <ppisar at redhat.com>
Date: Tue Oct 26 17:33:50 2010 +0200
Limit length of TTY name
Internal buffer is 40 bytes long. Longer TTY name provided as argument could
cause buffer overflow.
mingetty-1.08-limit_tty_length.patch | 22 ++++++++++++++++++++++
mingetty.spec | 4 ++++
2 files changed, 26 insertions(+), 0 deletions(-)
---
diff --git a/mingetty-1.08-limit_tty_length.patch b/mingetty-1.08-limit_tty_length.patch
new file mode 100644
index 0000000..b477f4c
--- /dev/null
+++ b/mingetty-1.08-limit_tty_length.patch
@@ -0,0 +1,22 @@
+Limit TTY name to size of `buf' buffer
+
+Patch from <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=221841>.
+--- a/mingetty.c
++++ b/mingetty.c
+@@ -138,11 +138,12 @@
+ int fd;
+
+ /* Set up new standard input. */
+- if (tty[0] == '/')
+- strcpy (buf, tty);
+- else {
++ if (tty[0] == '/') {
++ strncpy (buf, tty, sizeof(buf)-1);
++ buf[sizeof(buf)-1] = '\0';
++ } else {
+ strcpy (buf, "/dev/");
+- strcat (buf, tty);
++ strncat (buf, tty, sizeof(buf)-strlen(buf)-1);
+ }
+ /* There is always a race between this reset and the call to
+ vhangup() that s.o. can use to get access to your tty. */
diff --git a/mingetty.spec b/mingetty.spec
index 222e505..d21e4c5 100644
--- a/mingetty.spec
+++ b/mingetty.spec
@@ -11,6 +11,8 @@ Patch0: mingetty-1.00-opt.patch
# Bug #635412
Patch1: mingetty-1.08-check_chroot_chdir_nice.patch
Patch2: mingetty-1.08-openlog_authpriv.patch
+# Bug #551754
+Patch3: mingetty-1.08-limit_tty_length.patch
%description
The mingetty program is a lightweight, minimalist getty program for
@@ -22,6 +24,7 @@ lines (you should use the mgetty program in that case).
%patch0 -p1 -b .opt
%patch1 -p1 -b .chroot
%patch2 -p1 -b .openlog
+%patch3 -p1 -b .tty_length
%build
make "RPM_OPTS=$RPM_OPT_FLAGS"
@@ -46,6 +49,7 @@ rm -rf $RPM_BUILD_ROOT
* Tue Oct 26 2010 Petr Pisar <ppisar at redhat.com> - 1.08-5
- Check chroot(), chdir(), and nice() (bug #635412)
- Open syslog with AUTPRIV facility
+- Limit TTY name length to prevent buffer overflow (bug #551754)
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.08-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
More information about the scm-commits
mailing list